Would it make sense to have the SSL checker start checking for DANE/TLSA DNS records? (RFC6698/7218)
Basically, these let you put records in DNS that have the hash of your private key, which you can use instead of/in addition to the standard root certificates in-browser.
We publish these pretty heavily at the day job, and postfix also checks them in recent versions. There are third-party plugins for some browsers as well, and it's on the roadmap for Mozilla, I believe.
Does anyone else use these?